Linux Kernel Use-After-Free Vulnerability in proc_readdir_de Function

A use-after-free vulnerability has been addressed in the Linux kernel's handling of the /proc filesystem. The issue arises in the proc_readdir_de function, where a directory entry (pde) is removed from the subdirectory red-black tree but not properly cleared, potentially leading to a use-after-free condition. This vulnerability was identified during stress testing with the 'stress-ng' tool, by simultaneously running the 'getdent' and 'tun' test cases. The exploitation process involves traversing a specific /proc directory while unregistering network devices, creating a window where a released pde can be accessed, causing the use-after-free condition.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by using the 'stress-ng' tool to traverse the /proc/pid/net/dev_snmp6/ directory while simultaneously unregistering network devices. This process involves erasing the corresponding pde from the red-black tree, which is then released to the slab allocator. Continuing the 'getdent' process will result in accessing the released pde, triggering the use-after-free vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.